Return-Path: <SRS0=XvK4=RL=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,
	MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS autolearn=ham autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D3F35C43381
	for <selinux-refpolicy@archiver.kernel.org>; Fri,  8 Mar 2019 00:03:24 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 87EB72081B
	for <selinux-refpolicy@archiver.kernel.org>; Fri,  8 Mar 2019 00:03:24 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="NPxiPDi3"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726259AbfCHADY (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Thu, 7 Mar 2019 19:03:24 -0500
Received: from mail-qt1-f193.google.com ([209.85.160.193]:46545 "EHLO
        mail-qt1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726234AbfCHADX (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Thu, 7 Mar 2019 19:03:23 -0500
Received: by mail-qt1-f193.google.com with SMTP id z25so19339856qti.13
        for <selinux-refpolicy@vger.kernel.org>; Thu, 07 Mar 2019 16:03:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ieee.org; s=google;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-language:content-transfer-encoding;
        bh=wMQE6YENFN3aj5oiI1bjsqrWhzqydPL47ix7MfHPddc=;
        b=NPxiPDi3dZyFveHVFUFZ5F4fooz9nOFx0+kDhRtbPkTMdsj6bTTRZwlQakF0HcgTjL
         RFNBa+K5jjpWDoF36lUbRzhOgLdgQuPHQdrSMRu5KYczixsLZ3Gv4vX++XN/XqnpnbIO
         Khnw3qHuX6eeaL2quWNROVnBSnoF+sq+pH0nk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=wMQE6YENFN3aj5oiI1bjsqrWhzqydPL47ix7MfHPddc=;
        b=HCkaFbJjizgANTg3VuLQNiuivrptS22yb9lSBX4aA5IroVXpvDITwh4J+7AbY8Ls1N
         /upk15tyYhbo8nghufraRAhB21hb42j+LzPPxrA+kaekgoHLjrrMZE720fBiCU5A18L2
         coTVq2DpufvZC2WMhe4sCIGKeWv6VjjqlbQ3K+yy1zoC/ubBgU66xVYDmejx6JgjHmBW
         6gb4cv+n9yrFg7LC8hZOmFKlnlEiDbnnlsCeH3Hc+OJicRK7rqTeNDQEqbt4VhP8t0R9
         K8fTphB/S0EiQ7fGNGkQiVMi28YVPV1AgE8hT8Rdjd46vN2TtG6YbRrB2P+EeVGNpdf5
         Ex1g==
X-Gm-Message-State: APjAAAWMDno1p/nZ7xzaHxLZ3Ewd6hjL/BZYA0PkU3TO+Uw0dJ6DMbpK
        iC8oN/5sdGcNIl4CN7S1qinwlxrLj4M=
X-Google-Smtp-Source: APXvYqyShHZsS0MUeMQeE54av7Zo+/wlG7ywUmwN/sYV4kqweyRRlv3xe7fqWK8TMX8b/mT60E9cQw==
X-Received: by 2002:a0c:ba1d:: with SMTP id w29mr13072261qvf.228.1552003401902;
        Thu, 07 Mar 2019 16:03:21 -0800 (PST)
Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247])
        by smtp.gmail.com with ESMTPSA id h10sm5662134qta.3.2019.03.07.16.03.21
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 07 Mar 2019 16:03:21 -0800 (PST)
Subject: Re: [PATCH] Update cron use to pam interface
To:     "Sugar, David" <dsugar@tresys.com>,
        "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
References: <20190305223316.19127-1-dsugar@tresys.com>
From:   Chris PeBenito <pebenito@ieee.org>
Message-ID: <59271941-6b83-027e-2c78-ad80bd84a8d9@ieee.org>
Date:   Thu, 7 Mar 2019 18:55:43 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.3.0
MIME-Version: 1.0
In-Reply-To: <20190305223316.19127-1-dsugar@tresys.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

On 3/5/19 5:33 PM, Sugar, David wrote:
> I'm seeing a many denials for cron related to faillog_t, lastlog_t
> and wtmp_t.  These are all due to the fact cron is using pam (and my
> system is configured with pam_faillog).  I have updated cron to use
> auth_use_pam interface to grant needed permissions.
> 
> Additional change to allow systemd_logind dbus for cron.
> 
> I have included many of the denials I'm seeing, but there are probably
> others I didn't capture.
> 
> type=AVC msg=audit(1551411001.389:1281): avc:  denied  { read write } for  pid=8807 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1551411001.389:1281): avc:  denied  { open } for  pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
> type=SYSCALL msg=audit(1551411001.389:1281): arch=c000003e syscall=2 success=yes exit=3 a0=7f94f608c2ee a1=2 a2=0 a3=75646f6d6d61705f items=1 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key="logins"
> type=AVC msg=audit(1551411001.389:1282): avc:  denied  { lock } for  pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
> type=SYSCALL msg=audit(1551411001.389:1282): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1551411001.389:1283): avc:  denied  { write } for  pid=8807 comm="crond" name="wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1551411001.389:1283): avc:  denied  { open } for  pid=8807 comm="crond" path="/var/log/wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1551412201.489:1513): avc:  denied  { getattr } for  pid=7323 comm="systemd-logind" path="/proc/9183/cgroup" dev="proc" ino=49836 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file permissive=1
> type=AVC msg=audit(1551412201.511:1514): avc:  denied  { read write } for  pid=9183 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1551412201.511:1514): avc:  denied  { open } for  pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1551412201.511:1515): avc:  denied  { lock } for  pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
> type=SYSCALL msg=audit(1551412201.511:1515): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=9183 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null)
> type=USER_START msg=audit(1551412201.511:1516): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
> type=CRED_REFR msg=audit(1551412201.512:1517): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
> type=CRED_DISP msg=audit(1551412201.524:1521): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
> type=USER_END msg=audit(1551412201.525:1522): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
> type=USER_AVC msg=audit(1551629402.000:21914): pid=7387 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=CreateSession dest=org.freedesktop.login1 spid=6407 tpid=7395 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/services/cron.te    | 4 ++--
>   policy/modules/system/authlogin.if | 3 +--
>   2 files changed, 3 insertions(+), 4 deletions(-)
> 
> diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
> index 3cb4cd65..4c2bccf4 100644
> --- a/policy/modules/services/cron.te
> +++ b/policy/modules/services/cron.te
> @@ -310,9 +310,8 @@ init_start_all_units(system_cronjob_t)
>   init_get_generic_units_status(system_cronjob_t)
>   init_get_system_status(system_cronjob_t)
>   
> -auth_domtrans_chk_passwd(crond_t)
>   auth_manage_var_auth(crond_t)
> -auth_use_nsswitch(crond_t)
> +auth_use_pam(crond_t)
>   
>   logging_send_audit_msgs(crond_t)
>   logging_send_syslog_msg(crond_t)
> @@ -434,6 +433,7 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	systemd_dbus_chat_logind(crond_t)
>   	systemd_write_inherited_logind_sessions_pipes(crond_t)
>   ')
>   
> diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> index 0153ab07..fe9ca3bb 100644
> --- a/policy/modules/system/authlogin.if
> +++ b/policy/modules/system/authlogin.if
> @@ -51,10 +51,9 @@ interface(`auth_use_pam',`
>   	auth_domtrans_chk_passwd($1)
>   	auth_domtrans_upd_passwd($1)
>   	auth_dontaudit_read_shadow($1)
> -	auth_read_login_records($1)
> -	auth_append_login_records($1)
>   	auth_rw_lastlog($1)
>   	auth_rw_faillog($1)
> +	auth_rw_login_records($1)
>   	auth_setattr_faillog_files($1)
>   	auth_exec_pam($1)
>   	auth_use_nsswitch($1)

Merged.

-- 
Chris PeBenito